CVE-2024-30260

Aliases:GHSA-m4v8-wqvr-p9f7
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 04 Apr 2024, 15:15
Last modified:04 Nov 2025, 16:11

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4.3 MEDIUM
v3.1 (nvd)
EPSS Score
0.2% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

04 Apr 2024, 15:15
Published
Vulnerability first disclosed
04 Nov 2025, 16:11
Last Modified
Vulnerability information updated

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVSS Metrics

  • v3.1LOWScore: 3.9CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
  • v3.1MEDIUMScore: 4.3CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

EPSS Trends

Current EPSS score: 0.20% Percentile: 42%

Techniques & Countermeasures

  • CWE-285Improper Authorization

    The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  • CWE-863Incorrect Authorization

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Affected Systems

  • fedoraprojectfedora

    38 | 39 | 40

  • nodejsundici

    < 5.28.4 | ≥ 6.0.0, < 6.11.1

  • Npmundici

    < 5.28.4 | ≥ 6.0.0, < 6.11.1

References (14)